On 8/13/2014 11:16 AM, Kathleen Wilson wrote [in part]:
> All,
>
> As the CFCA discussion showed, there are a few things still to figure
> out regarding the audits of CA conformance to the BRs.
>
> Here are my proposals.
[snipped}
> 3) If the CA's auditor missed something regarding the BRs, then the CA
> has to fix the problems and be re-audited by a different auditor.
> Would a *complete* audit need to be performed?
> Or just an audit to show the problems have been resolved?
> Should we require that the re-audit to be for a minimum of 3 months?
>
> This can be added to our wiki pages now, and we may want to consider
> adding this to the actual policy.
Often, a new auditor will require a complete audit. Changing an auditor
is somewhat like changing a primary-care physician. The new physician
will often require a complete physical of the patient instead of relying
records from the prior primary-care physician.
As with a new physician, a completely new audit is an expense for the
certification authority, which I suspect would resist any request for
such an audit. Compliance might not be obtained unless (as proposed in
the past) we institute publicizing non-compliance, not merely with a
"wall of shame" on a Mozilla Web site but also sending out press
releases to appropriate news media, alerts to US-CERT, and messages to
non-Mozilla newsgroups.
--
David E. Ross
The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
